[sudo-users] regarding shell escape

Thu Dec 29 13:17:49 EST 2005

Hi Ran,

The noexec-option does not work on all platforms. It works on Solaris, but definitely not on AIX.

With regard to "vi", there is another option for preventing shell escapes. Instead of allowing "sudo vi", you should allow "sudo -e" or "sudoedit" only.

For AIX, a guru over here wrote a script which should prevent all shell escapes, for any sudo. You should test it on other platforms though. We manage Solaris systems as well, but with the noexec-option available, why rely on a script?

The script only matters for programs that offer the opportunity for a shell escape. It is not recommended to use it in other circumstances, as it would make the sudo syntax even more complicated. It may even challenge your ability to further restrict sudo commands. The sudo syntax (at least, if you authorize sudo via LDAP, as we do) only allows for a limited number of mandatory options.

Basically, what you need to do is:
- Place the script somewhere on the system, say: /usr/local/bin/script, or /usr/bin/script
- It is not recommended that anyone can modify the script. Permissions 555 are OK.
- You should authorize sudo's to be executed like the following:
  sudo /usr/local/bin/script <the_real_command>
- The script contains two lines:
  export SHELL=/usr/bin/false
  $*
- This script works for the Korn Shell. I'm not really a shell expert, so I do not know for sure if this will work on other shells as well. It should be a piece of cake to test it, though.

Good luck!

Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / nuosirdziausi linkejimai,

Huibert Kivits

"...all too often, when organizations develop information security programs, they treat security issues as a simple 'check-box' on the list of required corporate functions."
Richard Forno & Kenneth R van Wyk, "Incident Response", O'Reilly, 2001, ISBN: 0-596-00130-4

-----Oorspronkelijk bericht-----
Van: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] Namens Ran Li
Verzonden: donderdag 29 december 2005 17:50
Aan: sudo-users at sudo.ws
Onderwerp: [sudo-users] regarding shell escape

Hello all,

I m using ldap for sudoer entries, yet I cannot prevent shell escape properly, my platforms are SunOS5.9, 5.10, HPUX11.11, Linux 2.6.9-11, sudo version 1.6.8p12

after compiling, do `sudo -V | grep "dummy exec"` I got
# ./sudo -V | grep "dummy exec"
File containing dummy exec functions: /opt/sudo/libexec/sudo_noexec.so

and sudo_noexec.so is on place.

I tried to create a role called noexec ... does not forbid the vi shell escape

LDAP Role: Noexec
  Commands:
    /usr/bin/less
    /bin/vi
    /usr/bin/vi

I also tried to add noexec as a prefix of a sudocommand, does not work either ..

LDAP Role: Admin
  Commands:
    NOEXEC: /usr/bin/less
    NOEXEC: /bin/vi
    NOEXEC: /usr/bin/vi

other than completely block the vi command, anybody has the experience to prevent shell escape properly using ldap sudoer entries? Thanks.

Regards,

Ran

____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users
-----------------------------------------------------------------
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-----------------------------------------------------------------